Archive
Highlighted

How to make the time columns displayed on Splunk match those in the raw data

New Member

Hi, I'm a newbie here need some guide...

I have this kind of rawtext :
2018 Apr 6 15:15:03:735 GMT +0700 BW.NISPJDBCSIBSGateway-1-NISPJDBCSIBSGateway-18-6 User [BW-User] TraceFlagTrue Job-6000 [NISPJDBCSIBS_Gateway/ProcessDefinition.process/Group/LogAfter]: Error148

When the data is forwarded to the Splunk server and search by it index, it was displayed the Time colum on this kind of format :
4/6/18 10:15:03.735 PM.

I've already tried to change it by modifying the ...\SplunkUniversalForwarder\etc\apps\learned\local\props.conf but still the Time Column not affected. I Change it like this :
[BIsaGila-toosmall]
TIME
PREFIX = ^
MAXTIMESTAMPLOOKAHEAD = 24
TIMEFORMAT=%Y %b %d %H:%M:%S:%3N
PREFIX
SOURCETYPE = True
SHOULDLINEMERGE = False
LINE
BREAKER = ([\r\n]+)
TRUNCATE = 999999
NOBINARYCHECK = true
TZ = UTC
is_valid = True
maxDist = 9999

Please help me.

Thanks

Tags (4)
0 Karma
Highlighted

Re: How to make the time columns displayed on Splunk match those in the raw data

Champion

Can you try putting props.conf on indexer?

0 Karma
Highlighted

Re: How to make the time columns displayed on Splunk match those in the raw data

Champion
0 Karma
Highlighted

Re: How to make the time columns displayed on Splunk match those in the raw data

New Member

Hi Gurav ... I've changed the props.conf on the server settings /opt/splunk/etc/apps/MyApps/default/props.conf, the place matches the configuration of the index I'm using.

When I test it in the morning with this setting

TIMEPREFIX = ^
TIME
FORMAT = %Y %b %d %H:%M:%S:%3N

MAXTIMESTAMPLOOKAHEAD = 24

When I search it from splunk web, the Time column displayed in a correct time :
Time Column --> 4/10/18 9:38:03.735 AM
Raw Data --> 2018 Apr 10 09:38:03:735 GMT +0700 BW.NISPJDBCSIBSGateway-1-NISPJDBCSIBSGateway-18-6 User [BW-User] TraceFlagTrue Job-6000 [NISPJDBCSIBS_Gateway/ProcessDefinition.process/Group/LogAfter]: Error150 2018 Apr 6 15:16:03:735 HARJA4

But when I test it after 12 on the afternoon, the hours on Time column on splunk web displayed +7.
Help me here...

0 Karma
Highlighted

Re: How to make the time columns displayed on Splunk match those in the raw data

New Member

Do you mean by indexer on the Splunk Server? Where should I put it?

0 Karma
Highlighted

Re: How to make the time columns displayed on Splunk match those in the raw data

Champion

you can put it in Splunk\etc\system\local or in Splunk\etc\apps\your_app\local direactory.

0 Karma
Highlighted

Re: How to make the time columns displayed on Splunk match those in the raw data

New Member

I think you can use the strptime function to convert your time filed value to any desired format.

0 Karma
Highlighted

Re: How to make the time columns displayed on Splunk match those in the raw data

Ultra Champion

2 questions:

  1. why would you want to set TZ = UTC if the log reports in GMT+0700
  2. what exactly is your issue? Do you think something is wrong with the time value displayed in Splunk, or with the format of how it is displayed?
0 Karma
Highlighted

Re: How to make the time columns displayed on Splunk match those in the raw data

New Member
  1. To be honest I do not know how its configuration should be done, I follow someone who seems to experience something similar to me https://answers.splunk.com/answers/555414/how-to-edit-propsconf-to-ignore-timezone-informati. html
  2. My Issue is, on the splunk web server, when I'm searching data, the Time column displayed GMT + 7, is not match with the raw data. On the raw data its --> 2018 Apr 10 15:42:03:735 GMT +0700 Test22, but on time column it was displayed 4/10/18 10:42:03.735 PM, it was not right. And I still cannot solve it out.
0 Karma
Highlighted

Re: How to make the time columns displayed on Splunk match those in the raw data

Ultra Champion

What is your Splunk webinterface set to, timezone wise? (see your account settings)

The time displayed by Splunk will always differ from the timestamp in the raw event, if the timezone of the event is different from the timezone you use to view Splunk. Splunk will present the time value in your timezone, regardless of the timezone in the raw event.

Assuming you view Splunk in GMT+7
You ingest data with 2018 Apr 10 15:42:03:735 GMT +0700
You tell splunk that data is in UTC timezone (which it isn't)
Splunk will interpret the timestamp from the raw event as UTC (GMT) timezone and then add 7h to calculate the time value that Splunk displays to you (assuming you have Splunk web interface set to show in GMT+7). This results in a time value of 4/10/18 10:42:03.735 PM

So unless there is something more at hand, I think you need to simply make sure splunk interprets the timestamps in your events correctly. So either set the TZ to the correct value, or update the TIME_FORMAT setting to also read the timezone from the event.

0 Karma